Uncategorized —

ID theft blown out of proportion?

A new study points out that even if your information is stolen, you are …

ID Analytics, a San Diego-based risk management firm, has released their results of a detailed analysis of ID theft. The study covered breaches at four separate companies, providing them with about half a million compromised identities to work with. The net result shows that we may have less to worry about than we might think.

It appears that, at least in the case of large-scale data breaches, the odds of being a bona fide identity theft victim can run as low as one percent or less. Unfortunately, we can?t credit that cozy fact to any special diligence on the part of security experts, but simply to the major workload involved in processing large quantities of stolen data:

...it takes approximately five minutes to fill out a credit application. At this rate, it would take a fraudster working full-time — averaging 6.5 hours day, five days a week, 50 weeks a year — over 50 years to fully utilize a breached file consisting of one million consumer identities. If the criminal outsourced the work at a rate of $10 an hour in an effort to use a breached file of the same size in one year, it would cost that criminal about $830,000.

Not to mention the cost of providing benefits and a retirement plan. I suspect that it could be the wiser thief who learns to reign in his or her appetite, preferring to grab a more ?do-able? chunk of data for the in-box that may attract less attention.

The report also goes into the various levels of data breach, pointing out that not every breach is a cause for the same measure of concern:

In the research, ID Analytics distinguishes between "identity-level" breaches, where names and Social Security numbers were stolen and "account-level" breaches, where only account numbers?sometimes associated with names?were stolen. ID Analytics also discovered that the degree of risk varies based on the nature of the data breach, for example, whether the breach was the result of a deliberate hacking into a database or a seemingly unintentional loss of data, such as tapes or disks being lost in transit.

Knowing the level of risk allows for a measured response on the part of the compromised organization. However, I have to wonder if companies will use studies like this to justify measuring their response downward, especially where consumer notification is concerned. Given the credit industry's track record on the relatively simple subject of credit freezes, consumer-friendly moves are probably not something we should count on.

I do find it somewhat disturbing that four companies accounted for 500,000 stolen identities in the study, and it makes me wonder just how much we don?t hear about. If the odds of damage to any specific individual are slim, why not handle things internally and avoid embarrassing yourself? Fortunately, there are laws in the works that would require companies to inform customers of stolen data. Ignorance may be bliss, but I?d rather know if my info falls into the wrong hands.